X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=genrules.py;h=da42e01732795f85a6c30b3e53913d7ac9a304f9;hb=9779a53938e32d7d81f3c45346731cb06401ae94;hp=51e547d2d28a12f346aac036cd63f052637b757a;hpb=348583843f9499b0f1c335edc684a077bb2c2710;p=flowspec-xdp diff --git a/genrules.py b/genrules.py index 51e547d..da42e01 100755 --- a/genrules.py +++ b/genrules.py @@ -4,6 +4,7 @@ import sys import ipaddress from enum import Enum import argparse +import math IP_PROTO_ICMP = 1 @@ -288,6 +289,7 @@ with open("rules.h", "w") as out: rules4 = "" use_v6_frags = False rulecnt = 0 + ratelimitcnt = 0 lastrule = None for line in sys.stdin.readlines(): @@ -368,11 +370,59 @@ with open("rules.h", "w") as out: continue ty = blocks[1].strip()[:6] low_bytes = int(blocks[2].strip(") \n"), 16) - if ty == "0x8006": + if ty == "0x8006" or ty == "0x800c": + if first_action is not None: + # Two ratelimit actions, just drop the old one. RFC 8955 says we can. + first_action = None + exp = (low_bytes & (0xff << 23)) >> 23 if low_bytes == 0: first_action = "return XDP_DROP;" + elif low_bytes & (1 << 31) != 0: + # Negative limit, just drop + first_action = "return XDP_DROP;" + elif exp == 0xff: + # NaN/INF. Just treat as INF and accept + first_action = None + elif exp <= 127: # < 1 + first_action = "return XDP_DROP;" + elif exp >= 127 + 63: # The count won't even fit in 64-bits, just accept + first_action = None else: - assert False # Not yet supported + mantissa = low_bytes & ((1 << 23) - 1) + value = 1.0 + mantissa / (2**23) + value *= 2**(exp-127) + if ty == "0x8006": + accessor = "rate->rate.sent_bytes" + else: + accessor = "rate->rate.sent_packets" + # Note that int64_t will overflow after 292 years of uptime + first_action = "int64_t time = bpf_ktime_get_ns();\n" + first_action += f"const uint32_t ratelimitidx = {ratelimitcnt};\n" + first_action += "uint64_t allowed_since_last = 0;\n" + first_action += "struct ratelimit *rate = bpf_map_lookup_elem(&rate_map, &ratelimitidx);\n" + first_action += "if (rate) {\n" + first_action += "\tbpf_spin_lock(&rate->lock);\n" + first_action += f"\tif (likely({accessor} > 0))" + " {\n" + first_action += "\t\tint64_t diff = time - rate->sent_time;\n" + # Unlikely or not, if the flow is slow, take a perf hit (though with the else if branch it doesn't matter) + first_action += "\t\tif (unlikely(diff > 1000000000))\n" + first_action += f"\t\t\t{accessor} = 0;\n" + first_action += "\t\telse if (likely(diff > 0))\n" + first_action += f"\t\t\tallowed_since_last = ((uint64_t)diff) * {math.floor(value)} / 1000000000;\n" + first_action += "\t}\n" + first_action += f"\tif ({accessor} - ((int64_t)allowed_since_last) <= 0)" + " {\n" + if ty == "0x8006": + first_action += f"\t\t{accessor} = data_end - pktdata;\n" + else: + first_action += f"\t\t{accessor} = 1;\n" + first_action += "\t\trate->sent_time = time;\n" + first_action += "\t\tbpf_spin_unlock(&rate->lock);\n" + first_action += "\t} else {\n" + first_action += "\t\tbpf_spin_unlock(&rate->lock);\n" + first_action += "\t\treturn XDP_DROP;\n" + first_action += "\t}\n" + first_action += "}\n" + ratelimitcnt += 1 elif ty == "0x8007": if low_bytes & 1 == 0: last_action = "return XDP_PASS;" @@ -389,7 +439,8 @@ with open("rules.h", "w") as out: write_rule("uint8_t orig_tos = ip->tos;") write_rule("ip->tos = (ip->tos & 3) | " + str(low_bytes << 2) + ";") write_rule("chk = (chk - orig_tos + ip->tos);") - write_rule("if (unlikely(chk < 0)) { chk += 65534; }") + write_rule("if (unlikely(chk > 0xffff)) { chk -= 65535; }") + write_rule("else if (unlikely(chk < 0)) { chk += 65535; }") write_rule("ip->check = ~BE16(chk);") else: write_rule("ip6->priority = " + str(low_bytes >> 2) + ";") @@ -407,6 +458,8 @@ with open("rules.h", "w") as out: out.write("\n") out.write(f"#define RULECNT {rulecnt}\n") + if ratelimitcnt != 0: + out.write(f"#define RATE_CNT {ratelimitcnt}\n") if rules4 != "": out.write("#define NEED_V4_PARSE\n") out.write("#define RULES4 {\\\n" + rules4 + "}\n")